> The app errors because the resulting string is missing a double quote.
>I have uploaded a new demo, downloadable from
>http://www.class-software.eu/sqlparameters2.zip, which demonstrates the
>login bypass using your own code.
>
>Username: admin'" &&
>pass: any random password.
Also correct.
Fortunately, the validation code built into my base business object class
caught that example--because the string contained an ampersand preceded by
a space and followed by something other than a space, which looked like an
attempt at macro execution.
Any form that uses a subclass of my business object class will have the
contents of every single textbox and editbox on it checked for that, and a
bunch of other problematic things, before anything is done with the user's
input.
That code is 8 years old, and its details were also forgotten by me.
>Ken, trust me, I have TONS of experience in this kind of shit. You should
>take in account that I have 20 years of experience and I've been VFP MVP
>for 5 years in a row until they retired the award.
>There is NO WAY to protect yourself if you're using string concatenation,
>in ANY form.
I have 20 years of experience also.
All of the examples you've shown me so far rely on the ability to inject
characters that break the line. I've just spent a few hours searching this
topic on Google and I can't find a single example that doesn't rely on
injecting characters that break the line. In that case, why would not
something as simple as this work?
* Regular expressions would make this easier but I'm no expert on those...
IF (NOT ("&" + "&") $ mylogin) ;
AND (NOT "--" $ mylogin) ;
AND (NOT ";" $ mylogin) && And whatever else you want to test for...
* Concatenate and execute
ELSE
* MESSAGEBOX("Invalid Login.")
ENDIF
Or why not:
mylogin = STRTRAN(mylogin,"&"+"&","")
mylogin = STRTRAN(mylogin,"--","-")
mylogin = STRTRAN(mylogin,";","")
Yeah, people can write entire sentences that include semicolons and double
hyphens and enter them into search engines. I think most of those search
engines strip that stuff out so they can get "near" matches.
>On the other hand: do you realistically believe that those huge enterprise
>distributed apps (such as SAP, or banking apps) are using string
>concatenation? I've had the chance to assist a SAP implementation and I can
>tell you they don't. Parameters all the way (which, in turn, make easy to
>pass parameters which are not easily serializable, such as byte arrays for
>webservices).
You mean the ones that keep giving out people's (USA) social security
numbers and credit card authorization codes to hackers? Just the other day
I got a letter saying that my gas and electric utility, which is owned by a
multinational company headquartered in Spain, got hacked. I don't know what
they're using, but whatever it is, they keep screwing up. :)
>-----------------------
>
>I took the liberty to demonstrate another concept: Code Injection. Compile
>my sqlparameters2 project as an executable.
>Download http://www.class-software.eu/myfunc.fxp and place it in the same
>folder as the exe. Don't worry, it's harmless but I hope you'll see how
>risky string concatenation is.
>
>Now enter this as username:
>Username: admin'" And MyFunc() &&
>Password: any random password.
Yup. Won't work though if I exclude any line-breaking or comment-starting
characters from the string.
Do you have an example that doesn't rely on line-breaking or
comment-starting characters that I can easily exclude?
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
